I am hosting static site on Cloudflare pages and i run a security test and the test reveal few issues and recommendations. However it seems like most of these recomendations are not in my hand or maybe they are i am not sure?
Any suggestions on how to fix or ignore these issues. if you reccomending to ignore then please suggest why should i ignore these issues or recomendations.
If i am using https i suppose even if i do not need the port HTTP - 80/8080 i still cannot close because other people might use it also as it is on a shared server. so i can simply ignore the port info.
do you know what is wrong with the ssl and if there is a way to hide server info in header when using Cloudflare pages?
The tool is not useful, so no reason to have it’s URL cached on your browser.
You can pay Cloudflare to remove the header which identifies it as Cloudflare. That is an option on the Enterprise plan. However paying $60k+ a year to obfuscate something that can easily be determined in other ways seems like a waste.
A Server header that looks like this: Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2 is exposing details. A response that includes Server: cloudflare is exposing nothing material, and nothing that is not already obvious to a potential attacker.
If you want to control the Cipher Suites you can use ACM. Note that in order to modify the ciphers with Cloudflare Pages you also need to upload a Custom Certificate.
Secure Renegotiation is supported when required. If you have specified only one version of TLS, then renegotiation does not matter. A good configuration with Cloudflare would set the Minimum TLS to v1.2, and enable v1.3 also.
You can create a WAF rule to block all requests to ports other than 80 and 443, but you cannot close them completely. Even if you do not create that WAF rule, if you do not have the ports open on your Origins it makes little difference.
My point was that on the one hand, they say that identifying the server as Cloudflare is bad. But on the other hand, ports announcing that they identify as Cloudflare are no big deal. It’s clearly not an intelligent test.